I think code execution by insecure deserialization is the big Java security problem now, though I'm neither a security guy nor a Java guy.